Nomisec Exploits

22,743 exploits tracked across all sources.

Sort: Activity Stars
CVE-2023-40000 NOMISEC HIGH
LiteSpeed Cache < 5.7 - Unauthenticated Stored Cross-Site Scripting
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through 5.7.
by quantiom
5 stars
CVSS 8.3
CVE-2024-32523 NOMISEC HIGH
EverPress Mailster <4.0.6 - Path Traversal
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in EverPress Mailster mailster.This issue affects Mailster: from n/a through <= 4.0.6.
by tucommenceapousser
CVSS 8.1
CVE-2023-3460 NOMISEC CRITICAL
Ultimate Member <2.6.7 - Privilege Escalation
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
by Rajneeshkarya
1 stars
CVSS 9.8
CVE-2024-1561 NOMISEC HIGH
gradio-app/gradio - Info Disclosure
An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via `launch(share=True)`, thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on `huggingface.co` are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.
by DiabloHTB
4 stars
CVSS 7.5
CVE-2024-31497 NOMISEC MEDIUM
PuTTY 0.68-0.80 - Cryptographically Weak PRNG in ECDSA Nonce Generation
In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary is able to read messages signed by PuTTY or Pageant. The required set of signed messages may be publicly readable because they are stored in a public Git service that supports use of SSH for commit signing, and the signatures were made by Pageant through an agent-forwarding mechanism. In other words, an adversary may already have enough signature information to compromise a victim's private key, even if there is no further use of vulnerable PuTTY versions. After a key compromise, an adversary may be able to conduct supply-chain attacks on software maintained in Git. A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.
by HugoBond
11 stars
CVSS 5.9
CVE-2024-21413 NOMISEC CRITICAL
Microsoft 365 Apps and Office 2016-2019 - Remote Code Execution via Moniker Link
Microsoft Outlook Remote Code Execution Vulnerability
by th3Hellion
CVSS 9.8
CVE-2023-27524 NOMISEC HIGH
Apache Superset Signed Cookie Priv Esc
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.
by karthi-the-hacker
1 stars
CVSS 8.9
CVE-2024-34226 NOMISEC CRITICAL
SourceCodester Visitor Management System 1.0 - SQL Injection
SQL injection vulnerability in /php-sqlite-vms/?page=manage_visitor&id=1 in SourceCodester Visitor Management System 1.0 allow attackers to execute arbitrary SQL commands via the id parameters.
by dovankha
CVSS 9.4
CVE-2024-34225 NOMISEC MEDIUM
Computer Laboratory Management System <1.0 - XSS
Cross Site Scripting vulnerability in php-lms/admin/?page=system_info in Computer Laboratory Management System using PHP and MySQL 1.0 allow remote attackers to inject arbitrary web script or HTML via the name, shortname parameters.
by dovankha
CVSS 6.1
CVE-2024-34224 NOMISEC HIGH
Computer Laboratory Management System 1.0 - XSS
Cross Site Scripting vulnerability in /php-lms/classes/Users.php?f=save in Computer Laboratory Management System using PHP and MySQL 1.0 allow remote attackers to inject arbitrary web script or HTML via the firstname, middlename, lastname parameters.
by dovankha
CVSS 7.3
CVE-2024-34223 NOMISEC MEDIUM
SourceCodester HRMS 1.0 - Info Disclosure
Insecure permission vulnerability in /hrm/leaverequest.php in SourceCodester Human Resource Management System 1.0 allow attackers to approve or reject leave ticket.
by dovankha
CVSS 4.3
CVE-2024-34222 NOMISEC MEDIUM
Sourcecodester HRMS 1.0 - SQL Injection
Sourcecodester Human Resource Management System 1.0 is vulnerable to SQL Injection via the searccountry parameter.
by dovankha
CVSS 5.9
CVE-2024-34221 NOMISEC HIGH
Sourcecodester HRMS 1.0 - Privilege Escalation
Sourcecodester Human Resource Management System 1.0 is vulnerable to Insecure Permissions resulting in privilege escalation.
by dovankha
CVSS 8.8
CVE-2023-27350 NOMISEC CRITICAL
PaperCut MF and NG 8.0-20.1.7 - Unauthenticated Remote Code Execution via SetupCompleted
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.
by rasan2001
CVSS 9.8
CVE-2022-29072 NOMISEC HIGH
7-Zip <21.07 - Privilege Escalation
7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process. NOTE: multiple third parties have reported that no privilege escalation can occur
by rasan2001
CVSS 7.8
CVE-2019-0708 NOMISEC CRITICAL
CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
by rasan2001
CVSS 9.8
CVE-2024-34310 NOMISEC HIGH
Jin Fang Times CMS <3.2.3 - SQL Injection
Jin Fang Times Content Management System v3.2.3 was discovered to contain a SQL injection vulnerability via the id parameter.
by 3309899621
CVSS 8.8
CVE-2024-24787 NOMISEC MEDIUM
Go cmd/go 1.21.10 and 1.22.0-1.22.3 - Code Execution via CGO LDFLAGS
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
by LOURC0D3
5 stars
CVSS 6.4
CVE-2021-41091 NOMISEC MEDIUM
Moby < 20.10.9 - Unprivileged Host User Data Exposure and Privilege Escalation via Insufficient Directory Permissions
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers.
by jrbH4CK
CVSS 6.3
CVE-2023-52654 NOMISEC MEDIUM
Linux Kernel 5.4.220-5.4.263 - File Reference Cycle via io_uring Socket Transmission
In the Linux kernel, the following vulnerability has been resolved: io_uring/af_unix: disable sending io_uring over sockets File reference cycles have caused lots of problems for io_uring in the past, and it still doesn't work exactly right and races with unix_stream_read_generic(). The safest fix would be to completely disallow sending io_uring files via sockets via SCM_RIGHT, so there are no possible cycles invloving registered files and thus rendering SCM accounting on the io_uring side unnecessary.
by FoxyProxys
CVSS 4.7
CVE-2024-0399 NOMISEC HIGH
WooCommerce Customers Manager < 29.7 - Authenticated SQL Injection
The WooCommerce Customers Manager WordPress plugin before 29.7 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to an SQL injection exploitable by Subscriber+ role.
by xbz0n
1 stars
CVSS 8.1
CVE-2024-0566 NOMISEC HIGH
Smart Manager WP <8.28.0 - SQL Injection
The Smart Manager WordPress plugin before 8.28.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
by xbz0n
1 stars
CVSS 7.2
CVE-2022-0185 NOMISEC HIGH
Linux kernel - Privilege Escalation
A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.
by dcheng69
2 stars
CVSS 8.4
CVE-2024-21111 NOMISEC HIGH
Oracle VM VirtualBox < 7.0.16 - Privilege Escalation via Core Component
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.16. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. Note: This vulnerability applies to Windows hosts only. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
by mansk1es
216 stars
CVSS 7.8
CVE-2020-0688 NOMISEC HIGH
Microsoft Exchange Server - Remote Code Execution via Memory Corruption
A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.
by W01fh4cker
16 stars
CVSS 8.8